Further Reading

According to testimony presented Monday, Yujing Zhang's hotel room had a signal detector and additional suspicious possessions in it. The malware she carried may have been able to infect computers as soon as it was plugged into a computer.

The possessions in Zhang's hotel included five SIM cards, nine USB drives, yet another cell phone, and a signal detector that could scan an area for hidden cameras, according to reports widely circulated Monday. In addition to the electronics, Zhang's hotel room also contained more than $8,000, with $7,500 of it in US $100 bills and $663 in Chinese currency, The Washington Post reported.

The details came to light at a bond hearing on Monday in a Florida federal court. There, a Secret Service agent testified that the malware Zhang carried was capable of infecting a computer as soon as the thumb drive was plugged in. According to a report published Monday by the Miami Herald:

Secret Service agent Samuel Ivanovich, who interviewed Zhang on the day of her arrest, testified at the hearing. He stated that when another agent put Zhang's thumb-drive into his computer, it immediately began to install files, a "very out-of-the-ordinary" event that he had never seen happen before during this kind of analysis. The agent had to immediately stop the analysis to halt any further corruption of his computer, Ivanovich said. The analysis is ongoing but still inconclusive, he testified.

The New York Times described the Secret Service's thumb drive analysis slightly differently. According to this report:

Mr. Ivanovich testified that the computer analyst who reviewed Ms. Zhang's devices said that the thumb drive she was carrying had immediately begun installing a program on his computer.

"He stated that he had to immediately stop the analysis and shut off his computer to halt the corruption," Mr. Ivanovich said.

Federal prosecutors argued during Monday's hearing that Zhang was a flight risk because she had no ties to the US and couldn't be trusted to tell the truth.

"She lies to everyone she encounters," prosecutor Rolando Garcia told the court, according to CNN.

Zhang's federal public defender, Robert Adler, contended there was no evidence his client was a spy. "She did not have the type of devices that can be associated with espionage activities," Adler said, according to The Washington Post. Federal prosecutors said they have made no allegations Zhang was involved in espionage.

The 32-year-old woman was arrested last weekend after giving conflicting reasons for her visit to the president's club. She initially told a US Secret Service agent she was there to use the pool. A Mar-a-Lago security manager waved her past a security checkpoint after a "potential language-barrier issue" raised the possibility she was the daughter of a member who had the same last name. Once inside, Zhang allegedly told a receptionist she was there to attend a United Nations Chinese American Association event later that evening. After the receptionist confirmed no such event was scheduled to take place, Secret Service agents questioned her. They eventually arrested her on charges of lying to a federal officer and entering restricted property.

A search showed that, when Zhang entered Mar-a-Lago, she was carrying four cellphones, a laptop computer, an external hard drive, and a thumb drive. A preliminary forensic investigation found the thumb drive contained malware. Agents found no swimsuit in her possession.

Authorities have yet to say what kind of malware was stored on the thumb drive. They have also provided few if any details about the cell phones, hard drives, computer, and other electronics found on her person and in her hotel room.

Thumb drive hygiene

Monday's testimony from the Secret Service raises questions about the security practices that the agency takes in protecting its computers against malware infections. The statement that an agent examining the seized thumb drive had to "immediately stop the analysis to halt any further corruption of his computer" is especially concerning. It suggests that the agent connected the drive to the same computer used for official Secret Service work. Typically, USB drives and other computer peripherals from unknown sources should only be analyzed using laboratory equipment that's specifically designated for such purposes.

"As a taxpayer, I'm very concerned about where Agent Ivanovich's laptop is and where it's been since he plugged a malicious USB into it," Jake Williams, a former hacker for the National Security Agency who is now a cofounder of Rendition Infosec, said on Twitter. "If this was the Secret Service quick reaction playbook, perhaps Zhang planned to get caught all along (not joking)."

As a taxpayer, I'm very concerned about where Agent Ivanovich's laptop is and where it's been since he plugged a malicious USB into it. If this was the Secret Service quick reaction playbook, perhaps Zhang planned to get caught all along (not joking).https://t.co/Vz9qiuKvFMpic.twitter.com/M5mwBm6wam

Thumb drives have long been used as ways to surreptitiously infect computers. The Stuxnet worm is the best known example of malware that was able to jump from a thumb drive to a computer. While the Windows feature that allowed Stuxnet to spread has been locked down, security experts continue to view thumb drives as a major potential carrier of malware infections.

A Secret Service official speaking on background told Ars that the agency has strict policies over what devices can be connected to computers inside its network and that all of those policies were followed in the analysis of the malware carried by Zhang.

"No outside devices, hard drives, thumbdrives, et cetera would ever be plugged into, or could ever be plugged into, a secret service network," the official said. Instead, devices being analyzed are connected exclusively to forensic computers that are segregated from the agency network. Referring to the thumb drive confiscated from Zhang, the official said: "The agent didn’t pick it up and stick it into a Secret Service network computer to see what was on it." The agent didn't know why Ivanovich testified that the analysis was quickly halted when the connected computer became corrupted.

Monday's hearing raised yet another question about Secret Service security. Adler, the public defender representing Zhang, got agent Samuel Ivanovich to admit that "the agency that protects the president largely relied on Mar-a-Lago staff to determine whether to admit her, didn't see red flags in the devices she carried, and asked no further questions of Zhang once they believed she was related to another club member with the same last name—which is extremely common in China."

Expect more scrutiny of the event, the resulting investigation, and the lax policies that led to the breach to continue, possibly for months to come.

This post was updated to add Secret Service comment in the third- and fourth-to-last paragraphs.

She was caught carrying a thumb drive infected with malware, or as it's also known, a thumb drive.

What happened to reports she had multiple Chinese passports on her? I heard that early on, but I suppose it's less interesting than the tech she was carrying. If she did have two passports, it would be interesting to know what the differences were.

And I have to agree we can't discount the idea she was meant to be caught all along. She could just be a distraction, or she could be there to spread disinformation, or (less likely) to get the Secret Service to plug all her stuff in to their network. (I'd hope they had better hygiene than that, but you never know.) Really, the easiest way to get malware into an organisation is to leave it on a CD or USB drive in the car park, so they could have saved themselves some work there.

There are people on the US Government's payroll who are experts in computer forensics. They are the ones who need to be performing the analysis. I just hope the people in the State Department and DOJ don't have a mini turf war over this, get the devices into the right hands ASAP, and prevent the Secret Service from making any more errors in computer security.

If that Samuel guy plugged a random USB drive into a network-connected computer from an unauthorized person attempting to enter Mar-A-Lago , he needs to be bumped down a paygrade or two and/or transferred to something more in line with his skills.

Off the top of my head, Knoppix or some other read-only environment, no other drives attached, air-gapped, BIOS write protection enabled. I'm sure I forgot something but again, off the top of my head.

She was caught carrying a thumb drive infected with malware, or as it's also known, a thumb drive.

What happened to reports she had multiple Chinese passports on her? I heard that early on, but I suppose it's less interesting than the tech she was carrying. If she did have two passports, it would be interesting to know what the differences were.

And I have to agree we can't discount the idea she was meant to be caught all along. She could just be a distraction, or she could be there to spread disinformation, or (less likely) to get the Secret Service to plug all her stuff in to their network. (I'd hope they had better hygiene than that, but you never know.) Really, the easiest way to get malware into an organisation is to leave it on a CD or USB drive in the car park, so they could have saved themselves some work there.

Another detail that sort of came and went was that Cindy Yang - owner of prostitution spas and friend of Trump at Mar a Lago - was said to have actually had an event scheduled for later that day that matched Yujing Zhang's invitation, which is an even more interesting and alarming connection.

There are people on the US Government's payroll who are experts in computer forensics. They are the ones who need to be performing the analysis. I just hope the people in the State Department and DOJ don't have a mini turf war over this, get the devices into the right hands ASAP and prevent the Secret Service from making any more errors in computer security.

If that Samuel guy plugged a random USB drive into a network-connected computer from an unauthorized person attempting to enter Mar-A-Lago , he needs to be bumped down a paygrade or two and/or transferred to something more in line with his skills.

Off the top of my head, Knoppix or some other read-only environment, no other drives attached, air-gapped, BIOS write protection enabled. I'm sure I forgot something but again, off the top of my head.

Don't forget to disconnect the speaker and microphone so the air-gapped computers can't talk to each other.

Oh that's perfectly weird. The Secret Service just plugs in inherently suspicious USB drives into some computer and then has to pull the drive before it does something?

What do they do with hand grenades? Pull the pin to see what happens?

I think that more a more professional approach would be to hand off the drive to someone that might be able to figure out things.

I'm pretty sure DoD has had a "no thumb drives at all" policy for nearly a decade now.

We have a no jeans no cargo pants no tshirts policy. There is no HR presence at this location. How do you think that policy is doing? Edit: if it isn't clear, unless mass storage USB is disabled the users WILL plug shit in. It doesn't matter what policy they've been told.

There are people on the US Government's payroll who are experts in computer forensics. They are the ones who need to be performing the analysis. I just hope the people in the State Department and DOJ don't have a mini turf war over this, get the devices into the right hands ASAP and prevent the Secret Service from making any more errors in computer security.

Trump has the best people working on it.

He does.

Of course his definition of best is loyal and willing to do whatever's asked even if illegal. Especially if illegal.

There's a sort of gap between people with computer security and privacy awareness and not.

Either you are aware of the general surface area present in modern tech and constantly on guard, or you aren't and are susceptible to making a mistake. My guess is the agent in question here is the latter.

It's probably worth noting that autorun is only a partial defense. The way USB devices (and peripherals generally) work is that they have embedded controllers with instructions and writeable memory on them. This means that although visually on the outside it looks like a dumb USB drive, you have no idea what it will do once plugged in.

Thus if you need to investigate a fishy USB drive, you need an isolated machine that you can use. Or, if you aren't doing an investigation, don't attach USB drives unless you trust the source (straight from the manufacturer).

Secret Service agent Samuel Ivanovich, who interviewed Zhang on the day of her arrest, testified at the hearing. He stated that when another agent put Zhang's thumb-drive into his computer, it immediately began to install files, a "very out-of-the-ordinary" event that he had never seen happen before during this kind of analysis.

Zhang's federal public defender, Robert Adler, contented there was no evidence his client was a spy. "She did not have the type of devices that can be associated with espionage activities," Adler said, according to The Washington Post. Federal prosecutors said they have made no allegations Zhang was involved in espionage.

Moments after uttering this statement, the presiding judge was accidentally impaled on Aldler's nose.

Holy crap, she carried NOTHING that wasn't evidence she was ready to engage in espionage activities.

Oh that's perfectly weird. The Secret Service just plugs in inherently suspicious USB drives into some computer and then has to pull the drive before it does something?

What do they do with hand grenades? Pull the pin to see what happens?

I think that more a more professional approach would be to hand off the drive to someone that might be able to figure out things.

I'm pretty sure DoD has had a "no thumb drives at all" policy for nearly a decade now.

We have a no jeans no cargo pants no tshirts policy. There is no HR presence at this location. How do you think that policy is doing? Edit: if it isn't clear, unless mass storage USB is disabled the users WILL plug shit in. It doesn't matter what policy they've been told.

What makes you think DoD haven't disabled mass storage USB? They've done that to my work, and I don't work for DoD.

Also, a bunch of people ignoring HR policy is a bit different from a bunch of people ignoring Security policy. I'm pretty sure any DoD site will have a Security presence, and they often take security a bit more seriously than whether Steve was wearing socks with sandals on Tuesday.

Just assume that everything around Trump has been compromised in terms of security. There is not a chance this has not happened before it because this looks like a second or third attempt at this (from the news).

Target malware and other nasty software can be impossible to remove if it is hiding in the UEFA bios or some other hidden parts of the computer.

She was caught carrying a thumb drive infected with malware, or as it's also known, a thumb drive.

What happened to reports she had multiple Chinese passports on her? I heard that early on, but I suppose it's less interesting than the tech she was carrying. If she did have two passports, it would be interesting to know what the differences were.

And I have to agree we can't discount the idea she was meant to be caught all along. She could just be a distraction, or she could be there to spread disinformation, or (less likely) to get the Secret Service to plug all her stuff in to their network. (I'd hope they had better hygiene than that, but you never know.) Really, the easiest way to get malware into an organisation is to leave it on a CD or USB drive in the car park, so they could have saved themselves some work there.

Another detail that sort of came and went was that Cindy Yang - owner of prostitution spas and friend of Trump at Mar a Lago - was said to have actually had an event scheduled for later that day that matched Yujing Zhang's invitation, which is an even more interesting and alarming connection.

I'm not so alarmed by that. If I was a competent foreign spy agency I'd do due diligence to identify the most probable time I could sneak an asset into a locale and plan for that. I'd also hire a patsy who could be burnt in the event of the insertion going wrong.

For me the fact that the event at mar-a-lardo was scheduled for later in the day points to the asset screwing up rather than a conspiracy (however it does bare looking into. I'll assume the secret service will get to it as soon as their agent replaces his laptop - because I sure as hell wouldn't trust that device ever again. You need to nuke it from space just to be sure!)

There's a sort of gap between people with computer security and privacy awareness and not.

Either you are aware of the general surface area present in modern tech and constantly on guard, or you aren't and are susceptible to making a mistake. My guess is the agent in question here is the latter.

It's probably worth noting that autorun is only a partial defense. The way USB devices (and peripherals generally) work is that they have embedded controllers with instructions and writeable memory on them. This means that although visually on the outside it looks like a dumb USB drive, you have no idea what it will do once plugged in.

Thus if you need to investigate a fishy USB drive, you need an isolated machine that you can use. Or, if you aren't doing an investigation, don't attach USB drives unless you trust the source (straight from the manufacturer).

Don't Plug in USB Devices would seem to be the kind of thing an agent sent to investigate a suspicious foreign national would be trained in. I agree that Joe Blow police officer or resort security might get this wrong, but if you have reached the step that you are going through a suspect's electronic items you should be in the former set at the very least.

For crying out loud -- 10 or more years ago my university department had a policy that any thumb-drive received from anyone, from a vendor at a conference, etc. first had to be plugged into a test notebook computer without wireless, unplugged from any network and full of the (then) most respected malware detection software. Only after being tested could the drive be otherwise used. This was not a high security issue. We weren't anything other than epidemiologists and statisticians. To my best knowledge essentially everyone complied with the policy. It was common for vendor giveaway thumb drives to install unwanted, annoying browser plug-ins.

She was caught carrying a thumb drive infected with malware, or as it's also known, a thumb drive.

What happened to reports she had multiple Chinese passports on her? I heard that early on, but I suppose it's less interesting than the tech she was carrying. If she did have two passports, it would be interesting to know what the differences were.

And I have to agree we can't discount the idea she was meant to be caught all along. She could just be a distraction, or she could be there to spread disinformation, or (less likely) to get the Secret Service to plug all her stuff in to their network. (I'd hope they had better hygiene than that, but you never know.) Really, the easiest way to get malware into an organisation is to leave it on a CD or USB drive in the car park, so they could have saved themselves some work there.

Another detail that sort of came and went was that Cindy Yang - owner of prostitution spas and friend of Trump at Mar a Lago - was said to have actually had an event scheduled for later that day that matched Yujing Zhang's invitation, which is an even more interesting and alarming connection.

Was going to post about exactly this. One of this person's stories had a very good match to the sketchy organization that Yang set up to create events to sell access to the president and first family. It's very likely that this is someone taking advantage of Cindy Yang's schemes.

Here's a free clue to all those USSS agents out there - if you find a USB stick, don't plug it into any computer you want to use for anything, ever again. Bag it, tag it, and give it to an expert, you goober.